[rescue] Jeez!!! Are ethernet taps are a racket business?

[Mike Johnson]

Daniel de Young [daniel at velvetsea.com] wrote:
> $1500 for a glorified 3 port hub?
> 
> I just got an estimate on a 3 port 10/100 ethernet "tap".

Well, yes and no.  They are overly expensive, but they're more than just
a hub.  With taps, even if the tap looses power, packets still flow.
That said, $1500 seems high.  You could get three single port Shomitis 
for around $300 each.  Plug their outputs into an eight port 100Mbps hub,
 and as long as you don't exceed 100Mbps aggregate bandwidth, you're fine.

Taps are kinda difficult to use, though, because they split send and
receive.  It takes planning to be able to analyize the traffic that they
spit out.  The ghetto trick is a hub.  Slightly less ghetto is two NICs
and an OS that supports bonding (I've not done this, only heard it
works).
 
> My goal is to passively analyze traffic from my WAN, LAN, DMZ/802.11
> segments to a homebrew NIDS.
> 
> I guess I could three hubs in and use "read only" cables, but then I
> deal my LAN<-->DMZ effective bandwidth a blow.

I hate those cables.  They're hacks, and not elegant ones.  How much
bandwidth are you worried about?  Are 100Mbps hubs just not enough?
Will your IDS be able to keep up?  Are you putting three 100Mbps NICs in
the IDS?  I don't completely understand what you're doing.
 
> Anybody meditate on how to do this cheaper or even roll yer own?  Any
> hardware geeks ever cook something up on a breadboard or anything?

I've got a Shomiti at work.  I opened it up, and there really wasn't a
whole lot to it.  Anyone who comes up with a decent design would be
appreciated, I'm sure. :) 

Mike
-- 
"If life hands you lemons, YOU BLOW THOSE LEMONS TO BITS WITH 
 YOUR LASER CANNONS!" -- Brak

GNUPG Key fingerprint = ACD2 2F2F C151 FB35 B3AF  C821 89C4 DF9A 5DDD 95D1
GNUPG Key = http://www.enoch.org/mike/mike.pubkey.asc